YARA-ing with MacOS
2023-01-16 • Greg Lesewich •
https://github.com/g-les/100DaysofYARA/blob/main/100DaysofYARA_2023_Blog4_CloudMensis_RokRAT.ipynb
The notebook walks through macOS malware analysis and YARA development using the CloudMensis spyware component as the specimen, noting prior ESET disclosure and Volexity attribution to APT37. The analysis identifies a universal Mach-O binary with x86_64 and arm64 slices, extracts the Intel binary, checks code-signing state, and uses Mach-O sections and Objective-C metadata to guide rule-writing. Its value for DPRK-focused tracking is practical detection engineering for CloudMensis/RokRAT-related macOS tooling rather than a new intrusion report.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| URL | https://content.dropboxapi.com/… | 2018-09-21 | 2025-09-03 |
| URL | https://api.dropboxapi.com/2/fi… | 2023-01-16 | 2025-08-29 |
| HASH | b8a61adccefb13b7058e47edcd10a12… | 2023-01-16 | 2024-04-11 |
| YARA | MAL_CloudMensis_FlowEncrypt | 2023-01-16 | 2023-01-16 |
| YARA | MAL_CloudMensis_FlowEncrypt | 2023-01-16 | 2023-01-16 |
| YARA | APT_NK_APT37_CloudMensis_ClassD… | 2023-01-16 | 2023-01-16 |
| HASH | 55554944ad0c6122f4393d7a831706f… | 2023-01-16 | 2023-01-16 |
| URL | https://api.dropboxapi.com/2/fi… | 2023-01-16 | 2023-01-16 |
| URL | https://api.dropboxapi.com/2/fi… | 2023-01-16 | 2023-01-16 |